The 5 big wins every new CISO needs in the first 90 days

As of 2020, the average cost of a successful cyber breach is $3.9m – 12% up from last year. It’s not surprising that companies have high expectations when they hire a CISO.

COVID-19 has introduced unique security challenges for the incoming CISO. Working from home has accelerated endpoint security risks. Many organizations face expanded cybersecurity attack surfaces due to bring-your-own-computer policies, unsecured home networks, sophisticated phishing, and ransomware attacks. Established CISOs will find this difficult to deal with – a new CISO has an even bigger task ahead.

If you’re the new CISO, you’ll want to establish credibility right from the start while taking the right steps to prevent any cyber breaches during your tenure. In this article, we outline the big wins you need to ensure that your first 90 days on the job is a success.

1. Establish a baseline

As a new CISO, you can’t just jump in and take action without a good knowledge of the status quo. Understanding the reality of the technology estate you’re there to secure will help to build a cohesive action plan later on. What needs to be in your baseline? These are a few of the points you need to establish:

• State of the infrastructure. As CISO you need to assess whether there are any obvious gaps in your cybersecurity infrastructure – and any clear security weaknesses in the overall infrastructure your organization depends on.

“Many organizations are like a lollipop we all loved as a kid, the orgs have a hard shell with a soft center. The firewalls and boundary defense are great to prevent breaches, but once past those controls via phishing or another tactic, a hacker can easily move across servers and devices using vulnerability exploits.” — Matt Hollcraft, Global CISO in Private Equity. 

• Vendor evaluation. Verify the state of the vendors you depend on and identify any clear cyber risks that need urgent action. What requirements do your teams have for 3rd party tools? Are test plans in place to evaluate and compare their performance?
• Cybersecurity awareness. Stepping in, it’s critical that you evaluate the overall cybersecurity awareness within your team – and across the entire organization. Getting answers to the following questions will help you to better understand where your baseline falls
  • Are cybersecurity best practices established – or is the organization taking unnecessary risks? 
  • Do your teams leverage best practice strategies for crucial areas like Endpoint Detection and Response (EDR)? 
  • Is your department implementing SOAR technologies (Security Orchestration, Automation, and Response) to minimize harm should security breaches occur?

Your baseline will tell you where the quick wins are, including the most serious risks. While a baseline will guide your first 90 days, there is another assessment that you must do in thorough detail – as soon as it is realistically possible.

2. A thorough vulnerability assessment

A deep vulnerability assessment will uncover critical security holes that can be exploited at any moment – and in the worst case, just as you start your tenure.

Getting a vulnerability picture across your technology estate should be your first step in assessing the security posture of your organization. If looking through lists of CVEs doesn’t sound like a good use of time, look to automated vulnerability scanning tools like Nessus, if these are not already in place.

Your next step should be endpoints. Recent Gallup polls show that at least 33% of workers in the US have switched to always working from home, a change many employers may make permanent long after COVID19 is contained. Many organizations still haven’t adapted their endpoint security to reflect the large numbers of devices that operate outside of traditional safety measures like employees working from home.

While risk profiles vary from company to company, even organizations that aren’t being actively targeted can end up victims due to unpatched security vulnerabilities. All it takes for a successful breach is a single forgotten patch. As CISO you need to know what steps your organization takes when it comes to updating core software on your infrastructure and client devices to mitigate security threats.

Finally, broader compliance is also something you must evaluate. Is your organization subject to specific compliance regulations? If so – what’s your compliance status? Has compliance drifted from the last certification effort?

Once you’ve taken stock of your organization’s baseline security posture and mapped vulnerabilities to identify the highest risk security issues, you are almost ready to build a fix into your action plan. 

3. Engage with stakeholders

Before you start to put an action plan in place you should work on your next quick win: building credibility with stakeholders.  According to Deloitte CISO Labs, ~50% of all CISOs in America say alignment with stakeholders is the primary obstacle to improving the security posture of their organization.

What do we mean by stakeholders? Essentially, anyone who has a direct impact on your ability to succeed in establishing a persistently cyber-secure environment at your new employer.

This goes beyond your tech team. Consider budgets for example and the senior leaders who can influence the size of your cybersecurity budget. CIOs, CEOs, and even board members are key stakeholders that can influence the impact you’ll have in your role.

Meeting with stakeholders can ensure that you are aligned with the business strategy and priorities. If you are developing or updating a security plan, consider including stakeholders in the process and identify business KPIs that are affected by the organization’s security posture.

Cyber-safe habits and practices are driven from the top, so it’s up to you as the CISO to establish strong links with stakeholders – and motivating those stakeholders to become advocates for change.

Overall, as a CISO you are much more likely to push through tough changes if you’ve built relationships with key stakeholders – it’s an important early win.

4. The 90-day cybersecurity action plan

Your first quick wins are essentially about fact-finding – and relationship building. This builds up to your last and most important quick win: an effective, realistic action plan that plugs critical cybersecurity holes. In contrast, a lack of planning can mean that your first 90 days are not spent effectively.

A 90-day action plan could look like this:

1. Address vulnerabilities. The vulnerability assessment you completed should be your starting point. Prioritize vulnerabilities according to the security risks they pose – and fix those first.
2. Sort out patching. Patching is a time-intensive process, but a crucial component to maintaining a robust security posture. An automated endpoint management solution like aiden can dramatically cut the lead time to deploying patches and reduce the risk of a data breach. Aim for patching tools that are proactive and will update based on changes to device policy and configuration settings so when new software is supported by your organization, your patching efforts won’t lag behind.
3. Secure endpoints. Your patching solution will help improve endpoint security but also put in place measures to mitigate phishing attacks such as 2FA and consider using VPNs for remote devices.
4. Fix infrastructure risks. Any doubts about your infrastructure? Address them if you can. Implementing an external DNS provider to drive better protection against malware is one step to reduce your risk profile and costly downtime to the organization.
5. Improve threat response. Cybersecurity is as much about preventing breaches as it is about quick, effective responses. Put a response plan in place – or outsource incident response if you don’t have the internal skills.

While addressing every risk in your action plan may not be feasible, you could start by prioritizing the 5 biggest items from your assessment. Demonstrating your ability to improve the organization’s security posture within your first few months will help to build trust and support for your role. 

This support will help you to tackle the more difficult, long term challenges of instilling a cybersecurity aware culture, or urgent tasks like patching core vulnerabilities or coordinating the response to a security breach.

5. Move past your preconceptions

Your last key win comes down to your personal perspective. It’s human nature to project your past experiences onto the present, but as a CISO you must understand that the organization that has just employed you is a very different beast from the one you left. Preconceptions can delay your progress – or worse, set you up for failure.

You can’t presume that your new employer has a similar cybersecurity posture or that the cyber risks are similar. Don’t kick off assuming that you know the way forward based on your past experience.

The cybersecurity environment is complex, and every organization is different. Thinking that you already know what needs to be done and that there’s no need to listen or consult can set you up for failure.

Instead, drop your preconceptions and approach your new role as if it is brand new territory. Doing so ensures you have a clear picture of the new role you’re in – and makes it easier to identify the most critical tasks for your first 90 days.

Fed up running around wasting valuable resources on an ineffective patching regime? Why not give aiden a try. aiden automates patching and saves time on new builds too.